Kai,
On 2/7/2012 12:58, Kai Engert wrote:
That's a reason why I propose vouchers to be IP specific.
In my understanding, each IP will have only a single certificate,
regardless from where in the world you connect to it.
That's definitely an incorrect assumption to make.
There can be a
On 02/07/2012 09:58 PM, Kai Engert wrote:
On 07.02.2012 17:54, Ondrej Mikle wrote:
The phone calls would ensure that each registered person will be aware
of the certificate issuance.
This is getting very close to EV validation (Sovereign Keys have the
same issue).
I'd say making phone
On 08/02/12 12:43, Ondrej Mikle wrote:
On 02/07/2012 09:58 PM, Kai Engert wrote:
snip
That's a reason why I propose vouchers to be IP specific.
In my understanding, each IP will have only a single certificate,
regardless from where in the world you connect to it.
It's not true in general.
On 02/07/2012 06:04 PM, Kai Engert wrote:
The CA will remember the assocation {IP, certificate}. In future
requests, as long as this requesting IP requests a voucher for the same
certificate, the described bidirectional authentication and verification
will be sufficient.
Just a technicality:
Hi,
Kai Engert wrote:
If the attacker is able to hack the router that is close to the
webserver (e.g. hack the ISP that hosts the webserver), then the
attacker might be able to simply apply for a certificate from a CA and
intercept the (plaintext) approval emails the CA sends to the domain's
My previous message was a proposed solution to the problem attacker is
close to the server and uses it to obtain a new fraudulent cert, and I
proposed to use an organizational approach to prevent that attack.
In addition, another potential attack is, the attacker has obtained a
certificate
On 07.02.2012 17:54, Ondrej Mikle wrote:
The phone calls would ensure that each registered person will be aware
of the certificate issuance.
This is getting very close to EV validation (Sovereign Keys have the
same issue).
I'd say making phone calls is less effort than checking business
Why not just use the secure domain transfer identifier? Only the real holder
of the domain has that.
-Kyle H
On Mon, Feb 6, 2012 at 12:21 PM, Kai Engert k...@kuix.de wrote:
On 21.10.2011 15:09, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
On 21.10.2011 15:09, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/mecai/
Review, thoughts and reports of flaws welcome.
Thanks to Peter Eckersley, who first mentioned to me at 28c3 that there
is one scenario that isn't solved by
Just a quick thought, that I don't want to lose.
Maybe it would be a reasonable middle-ground to define:
- for intermediate CAs, OCSP information is published in DNS
- for servers, we use OCSP stapling
(Rob, thanks for your response, I'm still digesting.)
Regards
Kai
--
dev-tech-crypto mailing
On Wednesday 07 Dec 2011 04:19:09 Kai Engert wrote:
snip
I haven't researched, but has anyone already thought of distributing
OCSP records using DNS in general?
If we had OCSP-in-DNS, we might not even require OCSP stapling. This
could run as a service completely independent of the SSL
On 21.10.2011 15:09, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/mecai/
After more brainstorming I came up with some incremental ideas.
Thanks a lot to Adam Langley for pointing out scenarios that weren't yet
sufficiently handled
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/mecai/
Review, thoughts and reports of flaws welcome.
Thanks and Regards
Kai
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 10/21/2011 08:09 AM, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP,
CA's.
https://kuix.de/mecai/
This is great. We need these kinds of ideas.
Review, thoughts and reports of flaws welcome.
OK, this is a serious thought, not just a flippant remark:
On 10/21/2011 03:09 PM, From Kai Engert:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/mecai/
Review, thoughts and reports of flaws welcome.
Interesting - but it probably will never work. I don't see CAs
cooperating to this extend, it will probably
15 matches
Mail list logo
